Previously, in cookie hijacking mode, policy agents sent the IP address
of the server where they were installed to the OpenSSO Enterprise server.
Now, the policy agent first sends the application SSO token. If the agent
cannot obtain the application SSO token, the agent then sends the IP address
to the OpenSSO Enterprise server.

If strict DN checking is required for a deployment, OpenSSO Enterprise
server includes the new

iplanet-am-session-dnrestrictiononly property.

The default value is false. If this property is set
to true, the OpenSSO Enterprise server performs strict
DN checking. If the agent sends an IP address, the OpenSSO Enterprise server
considers the IP address to be an error.

To set iplanet-am-session-dnrestrictiononly for strict
DN checking:

Add the property with a value of true using
either the OpenSSO Enterprise Admin Console or the ssoadm utility.

Restart the OpenSSO Enterprise server web container for the
DN checking to take effect.